Merge branch 'master' of https://github.com/MicrosoftDocs/sql-docs-pr into release-sqlseattle

Author: v-alje

docs/2014/database-engine/sql-server-managed-backup-to-windows-azure-retention-and-storage-settings.md

@@ -127,9 +127,9 @@ manager: craigg
     ```  
   
 ##  <a name="InstanceConfigure"></a> Enable and Configure Default [!INCLUDE[ss_smartbackup](../includes/ss-smartbackup-md.md)] settings for the Instance  
- You can enable and configure default [!INCLUDE[ss_smartbackup](../includes/ss-smartbackup-md.md)] settings at the instance level in two ways:  By using the system stored procedure `smart_backup.set_instance_backup` or **SQL Server Management Studio**. The two methods are explained below:  
+ You can enable and configure default [!INCLUDE[ss_smartbackup](../includes/ss-smartbackup-md.md)] settings at the instance level in two ways:  By using the system stored procedure `smart_admin.set_instance_backup` or **SQL Server Management Studio**. The two methods are explained below:  
   
- **smart_backup.set_instance_backup:**. By specifying the value **1** for *@enable_backup* parameter, you can enable backup and set the default configurations. Once applied at the instance level, these default settings are applied to any new database that is added to this instance.  When [!INCLUDE[ss_smartbackup](../includes/ss-smartbackup-md.md)] is enabled for the first time, the following information must be provided in addition to enabling [!INCLUDE[ss_smartbackup](../includes/ss-smartbackup-md.md)] on the instance:  
+ **smart_admin.set_instance_backup:**. By specifying the value **1** for *@enable_backup* parameter, you can enable backup and set the default configurations. Once applied at the instance level, these default settings are applied to any new database that is added to this instance.  When [!INCLUDE[ss_smartbackup](../includes/ss-smartbackup-md.md)] is enabled for the first time, the following information must be provided in addition to enabling [!INCLUDE[ss_smartbackup](../includes/ss-smartbackup-md.md)] on the instance:  
   
 -   The retention period.  
   

docs/integration-services/connection-manager/azure-storage-connection-manager.md

@@ -31,6 +31,6 @@ Following properties are available.
 - **Authentication:** Specifies the authentication method to use. **AccessKey** and **ServicePrincipal** authentication are supported.
     - **AccessKey:** For this authentication method, specify the **Account key**.
     - **ServicePrincipal:** For this authentication method, specify the **Application ID**, **Application key**, **Tenant ID** of the service principal.
-      The service principal should be assigned **Storage Blob Data Contributor** role to the storage account.
+      For **Test Connection** to work, the service principal should be assigned at least **Storage Blob Data Reader** role to the storage account.
       Refer to [this](https://docs.microsoft.com/azure/storage/common/storage-auth-aad-rbac-portal#assign-rbac-roles-using-the-azure-portal) page for details.
 - **Environment:** Specifies the cloud environment hosting the storage account.

docs/integration-services/control-flow/flexible-file-task.md

@@ -37,8 +37,27 @@ For **Copy** operation, following properties are available.
 - **SourceConnection:** Specifies the source connection manager.
 - **SourceFolderPath:** Specifies the source folder path.
 - **SourceFileName:** Specifies the source file name. If left blank, the source folder will be copied.
-- **SearchRecursively:** Specifies whether to recursively copy sub-folders.
+- **SearchRecursively:** Specifies whether to recursively copy subfolders.
 - **DestinationConnectionType:** Specifies the destination connection manager type.
 - **DestinationConnection:** Specifies the destination connection manager.
 - **DestinationFolderPath:** Specifies the destination folder path.
 - **DestinationFileName:** Specifies the destination file name.
+
+***Notes on Service Principal Permission Configuration***
+
+For **Test Connection** to work (either blob storage or Data Lake Storage Gen2), the service principal should be assigned at least **Storage Blob Data Reader** role to the storage account.
+This is done with [RBAC](https://docs.microsoft.com/azure/storage/common/storage-auth-aad-rbac-portal#assign-rbac-roles-using-the-azure-portal).
+
+For blob storage, read and write permissions are granted by assigning at least **Storage Blob Data Reader** and **Storage Blob Data Contributor** roles, respectively.
+
+For Data Lake Storage Gen2, permission is determined by both RBAC and [ACLs](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-how-to-set-permissions-storage-explorer).
+Pay attention that ACLs are configured using the Object ID (OID) of the service principal for the app registration as detailed [here](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-access-control#how-do-i-set-acls-correctly-for-a-service-principal).
+This is different from the Application (client) ID that is used with RBAC configuration.
+When a security principal is granted RBAC data permissions through a built-in role, or through a custom role, these permissions are evaluated first upon authorization of a request.
+If the requested operation is authorized by the security principal's RBAC assignments, then authorization is immediately resolved and no additional ACL checks are performed.
+Alternatively, if the security principal does not have an RBAC assignment, or the request's operation does not match the assigned permission, then ACL checks are performed to determine if the security principal is authorized to perform the requested operation.
+
+- For read permission, grant at least **Execute** permission starting from the source file system, along with **Read** permission for the files to copy. Alternatively, grant at least the **Storage Blob Data Reader** role with RBAC.
+- For write permission, grant at least **Execute** permission starting from the sink file system, along with **Write** permission for the sink folder. Alternatively, grant at least the **Storage Blob Data Contributor** role with RBAC.
+
+See [this](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-access-control) article for details.

docs/integration-services/control-flow/foreach-loop-container.md

@@ -501,7 +501,19 @@ Specifies an existing Azure Storage Connection Manager or creates a new one that
 Specifies the path of the folder to enumerate files in.
 
 **SearchRecursively**  
-Specifies whether to search recursively within the specified folder.  
+Specifies whether to search recursively within the specified folder.
+
+***Notes on Service Principal Permission Configuration***
+
+Data Lake Storage Gen2 permission is determined by both [RBAC](https://docs.microsoft.com/azure/storage/common/storage-auth-aad-rbac-portal#assign-rbac-roles-using-the-azure-portal) and [ACLs](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-how-to-set-permissions-storage-explorer).
+Pay attention that ACLs are configured using the Object ID (OID) of the service principal for the app registration as detailed [here](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-access-control#how-do-i-set-acls-correctly-for-a-service-principal).
+This is different from the Application (client) ID that is used with RBAC configuration.
+When a security principal is granted RBAC data permissions through a built-in role, or through a custom role, these permissions are evaluated first upon authorization of a request.
+If the requested operation is authorized by the security principal's RBAC assignments, then authorization is immediately resolved and no additional ACL checks are performed.
+Alternatively, if the security principal does not have an RBAC assignment, or the request's operation does not match the assigned permission, then ACL checks are performed to determine if the security principal is authorized to perform the requested operation.
+For the enumerator to work, grant at least **Execute** permission starting from the root file system, along with **Read** permission for the target folder.
+Alternatively, grant at least the **Storage Blob Data Reader** role with RBAC.
+See [this](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-access-control) article for details.
 
 ## Variable Mappings Page - Foreach Loop Editor
  Use the **Variables Mappings** page of the **Foreach Loop Editor** dialog box to map variables to the collection value. The value of the variable is updated with the collection values on each iteration of the loop.  

docs/integration-services/data-flow/flexible-file-destination.md

@@ -46,12 +46,29 @@ Following properties are available on the **Advanced Editor**.
 - **escapeChar:** The special character used to escape a column delimiter in the content of input file. You cannot specify both escapeChar and quoteChar for a table. Only one character is allowed. No default value.
 - **quoteChar:** The character used to quote a string value. The column and row delimiters inside the quote characters would be treated as part of the string value. This property is applicable to both input and output datasets. You cannot specify both escapeChar and quoteChar for a table. Only one character is allowed. No default value.
 - **nullValue:** One or more characters used to represent a null value. The **default** value is \N.
-- **encodingName:** Specify the encoding name. See [Encoding.EncodingName](https://docs.microsoft.com/en-us/dotnet/api/system.text.encoding?redirectedfrom=MSDN&view=netframework-4.8) Property.
+- **encodingName:** Specify the encoding name. See [Encoding.EncodingName](https://docs.microsoft.com/dotnet/api/system.text.encoding?redirectedfrom=MSDN&view=netframework-4.8) Property.
 - **skipLineCount:**  Indicates the number of non-empty rows to skip when reading data from input files. If both skipLineCount and firstRowAsHeader are specified, the lines are skipped first and then the header information is read from the input file.
 - **treatEmptyAsNull:** Specifies whether to treat null or empty string as a null value when reading data from an input file. The **default** value is True.
 
 After specifying the connection information, switch to the **Columns** page to map source columns to destination columns for the SSIS data flow.
 
+**Notes on Service Principal Permission Configuration**
+
+For **Test Connection** to work (either blob storage or Data Lake Storage Gen2), the service principal should be assigned at least **Storage Blob Data Reader** role to the storage account.
+This is done with [RBAC](https://docs.microsoft.com/azure/storage/common/storage-auth-aad-rbac-portal#assign-rbac-roles-using-the-azure-portal).
+
+For blob storage, write permission is granted by assigning at least **Storage Blob Data Contributor** role.
+
+For Data Lake Storage Gen2, permission is determined by both RBAC and [ACLs](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-how-to-set-permissions-storage-explorer).
+Pay attention that ACLs are configured using the Object ID (OID) of the service principal for the app registration as detailed [here](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-access-control#how-do-i-set-acls-correctly-for-a-service-principal).
+This is different from the Application (client) ID that is used with RBAC configuration.
+When a security principal is granted RBAC data permissions through a built-in role, or through a custom role, these permissions are evaluated first upon authorization of a request.
+If the requested operation is authorized by the security principal's RBAC assignments, then authorization is immediately resolved and no additional ACL checks are performed.
+Alternatively, if the security principal does not have an RBAC assignment, or the request's operation does not match the assigned permission, then ACL checks are performed to determine if the security principal is authorized to perform the requested operation.
+For write permission, grant at least **Execute** permission starting from the sink file system, along with **Write** permission for the sink folder.
+Alternatively, grant at least the **Storage Blob Data Contributor** role with RBAC.
+See [this](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-access-control) article for details.
+
 **Prerequisite for ORC/Parquet File Format**
 
 Java is required to use ORC/Parquet file format.

docs/integration-services/data-flow/flexible-file-source.md

@@ -44,12 +44,29 @@ Following properties are available on the **Advanced Editor**.
 - **escapeChar:** The special character used to escape a column delimiter in the content of input file. You cannot specify both escapeChar and quoteChar for a table. Only one character is allowed. No default value.
 - **quoteChar:** The character used to quote a string value. The column and row delimiters inside the quote characters would be treated as part of the string value. This property is applicable to both input and output datasets. You cannot specify both escapeChar and quoteChar for a table. Only one character is allowed. No default value.
 - **nullValue:** One or more characters used to represent a null value. The **default** value is \N.
-- **encodingName:** Specify the encoding name. See [Encoding.EncodingName](https://docs.microsoft.com/en-us/dotnet/api/system.text.encoding?redirectedfrom=MSDN&view=netframework-4.8) Property.
+- **encodingName:** Specify the encoding name. See [Encoding.EncodingName](https://docs.microsoft.com/dotnet/api/system.text.encoding?redirectedfrom=MSDN&view=netframework-4.8) Property.
 - **skipLineCount:**  Indicates the number of non-empty rows to skip when reading data from input files. If both skipLineCount and firstRowAsHeader are specified, the lines are skipped first and then the header information is read from the input file.
 - **treatEmptyAsNull:** Specifies whether to treat null or empty string as a null value when reading data from an input file. The **default** value is True.
 
 After you specify the connection information, switch to the **Columns** page to map source columns to destination columns for the SSIS data flow.
 
+**Notes on Service Principal Permission Configuration**
+
+For **Test Connection** to work (either blob storage or Data Lake Storage Gen2), the service principal should be assigned at least **Storage Blob Data Reader** role to the storage account.
+This is done with [RBAC](https://docs.microsoft.com/azure/storage/common/storage-auth-aad-rbac-portal#assign-rbac-roles-using-the-azure-portal).
+
+For blob storage, read permission is granted by assigning at least **Storage Blob Data Reader** role.
+
+For Data Lake Storage Gen2, permission is determined by both RBAC and [ACLs](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-how-to-set-permissions-storage-explorer).
+Pay attention that ACLs are configured using the Object ID (OID) of the service principal for the app registration as detailed [here](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-access-control#how-do-i-set-acls-correctly-for-a-service-principal).
+This is different from the Application (client) ID that is used with RBAC configuration.
+When a security principal is granted RBAC data permissions through a built-in role, or through a custom role, these permissions are evaluated first upon authorization of a request.
+If the requested operation is authorized by the security principal's RBAC assignments, then authorization is immediately resolved and no additional ACL checks are performed.
+Alternatively, if the security principal does not have an RBAC assignment, or the request's operation does not match the assigned permission, then ACL checks are performed to determine if the security principal is authorized to perform the requested operation.
+For read permission, grant at least **Execute** permission starting from the source file system, along with **Read** permission for the files to read.
+Alternatively, grant at least the **Storage Blob Data Reader** role with RBAC.
+See [this](https://docs.microsoft.com/azure/storage/blobs/data-lake-storage-access-control) article for details.
+
 **Prerequisite for ORC/Parquet File Format**
 
 Java is required to use ORC/Parquet file format.

docs/linux/quickstart-install-connect-docker.md

@@ -89,7 +89,7 @@ Before starting the following steps, make sure that you have selected your prefe
 
    ::: zone pivot="cs1-bash"
    ```bash
-   sudo docker run -e 'ACCEPT_EULA=Y' -e 'SA_PASSWORD=<YourStrong!Passw0rd>' \
+   sudo docker run -e "ACCEPT_EULA=Y" -e "SA_PASSWORD=<YourStrong!Passw0rd>" \
       -p 1433:1433 --name sql1 \
       -d mcr.microsoft.com/mssql/server:2017-latest
    ```
@@ -208,7 +208,7 @@ Before starting the following steps, make sure that you have selected your prefe
 
    ::: zone pivot="cs1-bash"
    ```bash
-   sudo docker run -e 'ACCEPT_EULA=Y' -e 'SA_PASSWORD=<YourStrong!Passw0rd>' \
+   sudo docker run -e "ACCEPT_EULA=Y" -e "SA_PASSWORD=<YourStrong!Passw0rd>" \
       -p 1433:1433 --name sql1 \
       -d mcr.microsoft.com/mssql/server:2019-CTP3.1-ubuntu
    ```
@@ -299,7 +299,7 @@ The **SA** account is a system administrator on the SQL Server instance that get
    ::: zone pivot="cs1-bash"
    ```bash
    sudo docker exec -it sql1 /opt/mssql-tools/bin/sqlcmd \
-      -S localhost -U SA -P '<YourStrong!Passw0rd>' \
+      -S localhost -U SA -P "<YourStrong!Passw0rd>" \
       -Q 'ALTER LOGIN SA WITH PASSWORD="<YourNewStrong!Passw0rd>"'
    ```
    ::: zone-end
@@ -347,7 +347,7 @@ The following steps use the SQL Server command-line tool, **sqlcmd**, inside the
 2. Once inside the container, connect locally with sqlcmd. Sqlcmd is not in the path by default, so you have to specify the full path.
 
    ```bash
-   /opt/mssql-tools/bin/sqlcmd -S localhost -U SA -P '<YourNewStrong!Passw0rd>'
+   /opt/mssql-tools/bin/sqlcmd -S localhost -U SA -P "<YourNewStrong!Passw0rd>"
    ```
 
    > [!TIP]
@@ -449,7 +449,7 @@ The following steps use **sqlcmd** outside of your container to connect to SQL S
 
    ::: zone pivot="cs1-bash"
    ```bash
-   sqlcmd -S <ip_address>,1433 -U SA -P '<YourNewStrong!Passw0rd>'
+   sqlcmd -S <ip_address>,1433 -U SA -P "<YourNewStrong!Passw0rd>"
    ```
    ::: zone-end